Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
GHSA-7f5h-v6xp-fcq8 CVE-2025-62727 HIGH about 1 month ago
### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` ...
pypi
22
Dependabot PRs
PrivateBin is missing HTML sanitization of attached filename in file size hint
GHSA-867c-p784-5q6g CVE-2025-62796 MODERATE about 1 month ago
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached file...
packagist
No PRs yet
Contrast has insecure LUKS2 persistent storage partitions may be opened and used
GHSA-f5p4-p5q5-jv3h MODERATE about 1 month ago
### Summary A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeles...
go
No PRs yet
InventoryGui allows item duplication in GUIs which use GuiStorageElement
GHSA-7whh-79j3-7c55 CVE-2025-62784 MODERATE about 1 month ago
### Impact Any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element. ### Patches InventoryGui 1.6.5 (incl...
maven
No PRs yet
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
GHSA-qcpr-679q-rhm2 CVE-2025-59837 HIGH about 1 month ago
### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047e...
npm
No PRs yet
Silver has unrestricted traffic between Wireguard clients
GHSA-q8j9-34qf-7vq7 CVE-2025-27093 MODERATE about 1 month ago
### Summary Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (fr...
go
No PRs yet
Keycloak vulnerable to session takeovers due to reuse of session identifiers
GHSA-rg35-5v25-mqvp CVE-2025-12390 MODERATE about 1 month ago
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browse...
maven
No PRs yet
ImageMagick has Integer Overflow in BMP Decoder (ReadBMP)
GHSA-9pp9-cfwx-54rm CVE-2025-62171 MODERATE about 1 month ago
## Summary CVE-2025-57803 claims to be patched in ImageMagick 7.1.2-2, but **the fix is incomplete and ineffective**. The latest version **7.1.2-5...
nuget
1
Dependabot PRs
Keycloak allows access to admin path through flaw
GHSA-c6cm-5gc7-c3f4 CVE-2025-10939 LOW about 1 month ago
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The...
maven
No PRs yet
Liferay Portal Vulnerable to DoS via Crafted Headless API Request
GHSA-vgqx-447m-wvcj CVE-2025-62260 HIGH about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older u...
maven
No PRs yet
Liferay Portal Vulnerable to CSRF in Headless APIs
GHSA-gh4w-8qgq-8w9r CVE-2025-62258 HIGH about 1 month ago
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92...
maven
No PRs yet
Liferay Portal Does Not Limit Access to APIs Before Email Verification
GHSA-gv7w-jh8g-vr73 CVE-2025-62259 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 ...
maven
No PRs yet
Liferay Portal Stores Password Reset Tokens in Plain Text
GHSA-xcj6-xpjg-c4xr CVE-2025-62261 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 G...
maven
No PRs yet
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
GHSA-wpp4-vqfq-v4hp CVE-2025-62594 MODERATE about 1 month ago
## Summary A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors....
nuget
No PRs yet
Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature
GHSA-cw79-fq4f-9r96 CVE-2025-62262 MODERATE about 1 month ago
Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions...
maven
No PRs yet
Liferay Portal Vulnerable to Open Redirect via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter
GHSA-2pwh-9q9q-5r9c CVE-2025-62253 MODERATE about 1 month ago
Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-8mgf-rgg5-w38q CVE-2025-62263 MODERATE about 1 month ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA ...
maven
No PRs yet
Keycloak TLS Client-Initiated Renegotiation Denial of Service
GHSA-q8hq-4h99-fj7x CVE-2025-11419 HIGH about 1 month ago
Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. A...
maven
No PRs yet
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations
GHSA-gv8h-7v7w-r22q CVE-2025-62725 HIGH about 1 month ago
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.exten...
go
No PRs yet
Wasmtime vulnerable to segfault when using component resources
GHSA-4h67-722j-5pmc CVE-2025-62711 LOW about 1 month ago
### Impact The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully cra...
cargo
1
Dependabot PRs
BBOT's gitlab.py exposes globally configured "gitlab" API key
GHSA-p3v4-c93g-cmhw CVE-2025-10282 MODERATE about 1 month ago
### Summary bbot's `gitlab.py` sends the user's "gitlab" API key to on-premise GitLab instances. If a user has configured a gitlab.com API key us...
pypi
No PRs yet
InventoryGui allows item duplication with experimental "Bundle" item in GUIs which use GuiStorageElement
GHSA-rgvh-4m82-fvjq CVE-2025-62782 MODERATE about 1 month ago
### Impact Any plugin using the GuiStorageElement is impacted when used on a server which allows the (currently experimental) Bundle items. ### Pa...
maven
No PRs yet
InventoryGui affected by item duplication in GUIs which use GuiStorageElement
GHSA-598q-jw82-5w66 CVE-2025-62783 MODERATE about 1 month ago
### Impact Any plugin using the `GuiStorageElement` is impacted. ### Patches Patched with https://github.com/Phoenix616/InventoryGui/commit/27a52e...
maven
No PRs yet
pg8000 SQL injection vulnerability via a specially crafted Python list input
GHSA-wq2g-r956-j8cc CVE-2025-61385 HIGH about 1 month ago
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list i...
pypi
No PRs yet
Apache Tomcat Vulnerable to Relative Path Traversal
GHSA-wmwf-9ccg-fff5 CVE-2025-55752 HIGH about 1 month ago
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, f...
maven
No PRs yet
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
GHSA-vfww-5hm6-hx2j CVE-2025-55754 LOW about 1 month ago
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supp...
maven
No PRs yet
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
GHSA-hgrr-935x-pq79 CVE-2025-61795 LOW about 1 month ago
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to di...
maven
No PRs yet
Constellation has insecure LUKS2 persistent storage partitions which may be opened and used
GHSA-hq76-6gh2-5g4q CVE-2025-58356 HIGH about 1 month ago
### Summary A malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the [OpenCryptDevice](https://githu...
go
No PRs yet
LangGraph's SQLite store implementation has a SQL Injection Vulnerability
GHSA-4h97-wpxp-3757 CVE-2025-8709 HIGH about 1 month ago
A SQL injection vulnerability exists in the langchain-ai/langgraph repository, specifically in the LangGraph's SQLite store implementation. The aff...
pypi
No PRs yet
Bouncy Castle Vulnerable to Uncontrolled Resource Consumption
GHSA-jv6h-4262-q663 CVE-2025-12194 MODERATE about 1 month ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legio...
maven
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
3
Dependabot PRs
Rancher exposes sensitive information through audit logs
GHSA-mw39-9qc2-f7mg CVE-2024-58269 MODERATE about 1 month ago
### Impact **Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.** A vulnerability h...
go
No PRs yet
Karmada Dashboard API Unauthorized Access Vulnerability
GHSA-5qjg-9mjh-4r92 CVE-2025-62714 CRITICAL about 1 month ago
### Impact This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/se...
go
No PRs yet
Rancher user retains access to clusters despite Global Role removal
GHSA-j4vr-pcmw-hx59 CVE-2023-32199 MODERATE about 1 month ago
### Impact A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or...
go
No PRs yet
Liferay Portal ComboServlet denial of service via large file combination
GHSA-q95h-87j6-273x CVE-2025-62254 MODERATE about 1 month ago
The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 ...
maven
No PRs yet
Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON
GHSA-vp5w-xcfc-73wf CVE-2025-12044 HIGH about 1 month ago
Vault and Vault Enterprise ("Vault") are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a reg...
go
No PRs yet
MCMS reflected cross-site scripting (XSS) vulnerability
GHSA-wvv5-5g6x-hp7j CVE-2025-60837 MODERATE about 1 month ago
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's bro...
maven
No PRs yet
HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass
GHSA-9g4h-h484-3578 CVE-2025-11621 HIGH about 1 month ago
Vault and Vault Enterprise's ("Vault") AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_ia...
go
No PRs yet
Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page
GHSA-gccf-r9xp-x8jx CVE-2025-62255 LOW about 1 month ago
Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsuppor...
maven
No PRs yet
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 1 month ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Piranha CMS vulnerable to stored cross-site scripting (XSS)
GHSA-3qcp-9v8c-6jp7 CVE-2025-61413 MODERATE about 1 month ago
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web sc...
nuget
No PRs yet
Kottster app reinitialization can be re-triggered allowing command injection in development mode
GHSA-j3w7-9qc3-g96p CVE-2025-62713 HIGH about 1 month ago
### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development...
npm
No PRs yet
OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method
GHSA-jp7h-4f3c-9rc7 CVE-2025-59048 HIGH about 1 month ago
### Impact This is a cross-account impersonation vulnerability in the `auth-aws` plugin. The vulnerability allows an IAM role from an untrusted AWS...
go
No PRs yet
Liferay Portal and DXP do not properly restrict access to OpenAPI
GHSA-j82q-c85j-xw4w CVE-2025-62256 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA ...
maven
No PRs yet
Keycloak does not invalidate offline sessions when the offline_access scope is removed
GHSA-895x-rfqp-jh5c CVE-2025-12110 MODERATE about 1 month ago
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token ...
maven
No PRs yet
Keycloak does not invalidate sessions when "Remember Me" is disabled
GHSA-64w3-5q9m-68xf CVE-2025-11429 MODERATE about 1 month ago
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Ses...
maven
No PRs yet
Moodle vulnerable to brute-force password guesses
GHSA-m58f-9pvv-8mp2 CVE-2025-62399 HIGH about 1 month ago
Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute...
packagist
No PRs yet
Moodle exposed the names of hidden groups to users
GHSA-422v-w6c5-vq42 CVE-2025-62400 MODERATE about 1 month ago
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal pr...
packagist
No PRs yet
Moodle's error handling leads to sensitive information disclosure
GHSA-c5cj-xp43-qcc3 CVE-2025-62396 MODERATE about 1 month ago
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers ...
packagist
No PRs yet
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 1 month ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet